A new XSS vulnerability was identified on Paypal.com earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm. NVP is Paypal’s API for Merchants to use when interacting with the Paypal web site, it stands for Name-Value Pair. SM is short for ‘send money’. A problem such as this can be used to capture a user’s session (essentially log in as that user) and perform privileged actions (money transfers) as that user, as well as send a user a valid Paypal URL but then redirect them to a malicious third party site (phishing, malware, etc.).

Attack String
The following is provided as example in the posts mentioned earlier:

Javascript injected into the name value pair of sender country is reflected on the resulting page.

Paypal is reflecting the supplied script in the error message they are displaying, as seen in the HTML source of the page:

Error COWException: invalid country "">XSS PAYLOAD"

Rather then display an alert box, an actual attacker would either redirect the user as shown below, or capture and send their session cookie (a piece of text the browser stores temporarily to identify a user’s logged in session) to a third party web site.

Same javascript alert, but displaying all of the user’s cookies under the PayPal domain.

XSS at a High Level
While the definition is ever expanding, XSS attacks are generally considered a type of injection problem where malicious input is injected into an otherwise trusted web page causing an unexpected behavior such as sending data to or from an unknown third party web site (cross site). Because the script is being run in the context of the trusted web site, it has access to cookies such as session tokens, as well as any other user information available within the security context of that web site. XSS vulnerabilities are somewhat common in web applications and will occur unfettered wherever untrusted input is not validated by the web application or encoded before output back to the user.

PayPal
The San Jose based company is owned by eBay and has more than 78 million customer accounts. As such the service is used to clear many of the transactions on the popular auction site. The service allows users to send money without needing to share financial information, a key enabler for sending and receiving money from third parties on the Internet. They are in some 190 markets around the world and can work with 19 different currencies.

In 2008 roughly $60 billion dollars moved through Paypal’s systems.

Paypal does make available additional authentication protection in the form of a one time password token called a ’security key’ by them (similar to the ones made popular by RSA). The token costs five dollars and is available to residents of Australia, Germany, Canada, the United Kingdom and the United States. Paypal however allows a bypass of this hard token by allowing the user to enter further information such as credit card or bank number, severely impacting its effectiveness as a security measure.

Further authentication “on the front door” of the web site (the login screen) does not prevent a user session from being hijacked after authentication as is possible in a cross site scripting attack like this one.

It is worth it to note that PayPal is PCI compliant, being subject to quarterly vulnerability scans, as stated on their site.

Finally
Users have the ability to go through a process to apply for a refund from PayPal if their account is broken into, but this is not always a clean process. A site should almost never reflect (redisplay) input received from an untrusted source (“the user”), which in this case is the browser, without escaping the output. PayPal has had similar problems with cross site scripting in the past, including an incident back in March. While XSS attacks can be downplayed, a site such as PayPal that performs money transfers (for users of eBay it is basically the only way to send and receive payment) usually has to address these problems quickly. A more comprehensive approach (a shared function that encodes all output originating from untrusted input on the site) is something they could start looking towards to protect their users.

Sponsor Ad

It didn’t take a whole lot of social engineering for people to give up their passwords: ask them what the password consists of (like it’s my cat’s name and birthday), ask the cat’s name, ask a deflecting question, then ask for the birthday.

It’s an annual puff piece, whoever is in charge of security at the Super Bowl appears on the news in front of some barrier or computer screen, talking about the number of security guards, guard dogs, or whatever else passes as some grand measure of the ‘amount’ of security being applied. And as with Super […]

Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong.

On February 15th a joint project of the Department of Homeland Security Immigrations and Customs Enforcement (ICE) and the Department of Justice termed “Operation Protect Our Children” confidently announced the seizure of ten domain names involved in the advertisement and distribution of child pornography. What they failed to mention was that they also knocked out […]

On the Colbert Report, host Stephen Colbert provided some background on “the First Great Cyberwar” as the hacktivist collective Anonymous has dubbed it, the “Defend Assange” sub-mission of Operation Payback. Operation Payback started as a fight against anti-piracy measures, but has moved to attacking web sites seen to be impeding Wikileaks in its mission to […]

Hackers

Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information. Document […]

Featured Posts

It’s an annual puff piece, whoever is in charge of security at the Super Bowl appears on the news in front of some barrier or computer screen, talking about the number of security guards, guard dogs, or whatever else passes as some grand measure of the ‘amount’ of security being applied. And as with Super […]

Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information. Document […]

A new XSS vulnerability was identified on Paypal.com earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm. NVP is Paypal’s API for Merchants to use when interacting with the Paypal web site, it stands for Name-Value Pair. SM is short […]